From Ivan's note p.246-248, in order configure access control on the server side, the web.xml should define something like this:
The sun-web.xml should define something like this:
My question is what if there are thousands of users who are granted access control? Should we define thousands of <role-name> for <auth-contraint> and etc?
And should we define thousands of <security-role-mapping> in sun-web.xml for each <role-name> in web.xml?
After reading the tutorial, it says to define role in the sun-web.xml , not individual users.
That makes more sense now. "Role" means the role of the individual users. Example of roles: students, admin, teacher and etc. Each student are in "students" role.